berbew | 241d5e932144d6bf59010cad15af1524ea22da9152d3ab6f1639a8d47be28000

Analysis

max time kernel
128s
max time network
165s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250207-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250207-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
10/02/2025, 04:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VirusSign.2023.11.29/0517d55470df3590c88f39d41a416047.exe
Size

1.3MB
MD5

0517d55470df3590c88f39d41a416047
SHA1

a68551eb51f57c8b1d5ad45163ce1ba835d1ac0a
SHA256

b7ed13cec9b876a24f0bcfca27b2ab5fe5f9e85f448cc9d8da20f629b2148730
SHA512

2e06ad3cdb80ecec8d32dfe2ad68c7857fbba1400fd033e601d789a5a661f8a98cd3807b83bb02ea72fe9bbabbacb9a8200f85046df1aea2d85d05542305b1d0
SSDEEP

24576:P7vr4B9f01ZmQvrb91v92W9C05wkEPSOdKkrzEoxrC9toC9Dq9onk8:TkB9f0VP91v92W805IPSOdKgzEoxrlQ3

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://viruslist.com/wcmd.txt

http://viruslist.com/ppslog.php

http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nadleilm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dkceokii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hipmfjee.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgflcifg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpfcfmlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dfiildio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nmbjcljl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pnifekmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnhgjaml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fligqhga.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Phonha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aokkahlo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pjdpelnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bklomh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ibaeen32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opqofe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Omdppiif.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpdgqmnb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dojqjdbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fpkibf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ieidhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Njfkmphe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Klcekpdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Eeelnp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fpkibf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ipjoja32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Baannc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Epmmqheb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qobhkjdi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qodeajbg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lqkqhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ngjkfd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aaoaic32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gehbjm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpcapp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kjblje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Njhgbp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ennqfenp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jiglnf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njhgbp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qacameaj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aopemh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdfpkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cgqlcg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dafppp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jedccfqg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klhnfo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lcdciiec.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dpkmal32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opnbae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ppjbmc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aoioli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jphkkpbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Klfaapbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nmbjcljl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mmpmnl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eeelnp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ffqhcq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hfhgkmpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qfkqjmdg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bkibgh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kjjbjd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcdciiec.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnhdgpii.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Downloads MZ/PE file 1 IoCs

flow	pid	Process
38	5364	Process not Found

Executes dropped EXE 64 IoCs

pid	Process
3208	Dkceokii.exe
2944	Dfiildio.exe
232	Dbbffdlq.exe
4516	Deqcbpld.exe
4752	Eeelnp32.exe
1500	Ennqfenp.exe
1936	Epmmqheb.exe
3604	Emanjldl.exe
4836	Enbjad32.exe
4068	Fligqhga.exe
2912	Ffqhcq32.exe
2024	Ffceip32.exe
1972	Fpkibf32.exe
1912	Gehbjm32.exe
4756	Gblbca32.exe
1064	Gemkelcd.exe
3980	Gnepna32.exe
4456	Gimqajgh.exe
3344	Hipmfjee.exe
560	Hfcnpn32.exe
1940	Hidgai32.exe
2836	Hfhgkmpj.exe
4444	Hbohpn32.exe
1584	Ibaeen32.exe
2512	Ipeeobbe.exe
1004	Illfdc32.exe
1636	Ipjoja32.exe
2236	Ieidhh32.exe
4136	Jiglnf32.exe
1808	Jcoaglhk.exe
2080	Jpcapp32.exe
1020	Jilfifme.exe
4988	Jcdjbk32.exe
1524	Jphkkpbp.exe
3168	Jedccfqg.exe
3216	Kcidmkpq.exe
576	Kjblje32.exe
1740	Koodbl32.exe
4964	Kgflcifg.exe
4176	Klcekpdo.exe
3196	Kcmmhj32.exe
1712	Kflide32.exe
2504	Klfaapbl.exe
1204	Kcpjnjii.exe
764	Kjjbjd32.exe
1144	Klhnfo32.exe
4240	Kcbfcigf.exe
2100	Kjlopc32.exe
236	Lljklo32.exe
3580	Lcdciiec.exe
4984	Ljnlecmp.exe
1012	Llmhaold.exe
888	Lcgpni32.exe
812	Ljqhkckn.exe
2584	Lqkqhm32.exe
2884	Lcimdh32.exe
3792	Ljceqb32.exe
2040	Lqmmmmph.exe
412	Lggejg32.exe
2332	Lnangaoa.exe
4772	Lobjni32.exe
4064	Lncjlq32.exe
3360	Mogcihaj.exe
5028	Mnhdgpii.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Dbbffdlq.exe	Dfiildio.exe
File created	C:\Windows\SysWOW64\Dnbjkgmg.dll	Jpcapp32.exe
File opened for modification	C:\Windows\SysWOW64\Lobjni32.exe	Lnangaoa.exe
File created	C:\Windows\SysWOW64\Lmnbjama.dll	Pmpolgoi.exe
File created	C:\Windows\SysWOW64\Ndnljbeg.dll	Lcimdh32.exe
File created	C:\Windows\SysWOW64\Njfkmphe.exe	Nopfpgip.exe
File created	C:\Windows\SysWOW64\Dafppp32.exe	Cnjdpaki.exe
File created	C:\Windows\SysWOW64\Aokkahlo.exe	Ahaceo32.exe
File opened for modification	C:\Windows\SysWOW64\Klfaapbl.exe	Kflide32.exe
File created	C:\Windows\SysWOW64\Lcgpni32.exe	Llmhaold.exe
File created	C:\Windows\SysWOW64\Ofkgcobj.exe	Opqofe32.exe
File created	C:\Windows\SysWOW64\Jponoqjl.dll	Pnifekmd.exe
File created	C:\Windows\SysWOW64\Iophfi32.dll	Gimqajgh.exe
File opened for modification	C:\Windows\SysWOW64\Njjdho32.exe	Ncqlkemc.exe
File created	C:\Windows\SysWOW64\Mmpmnl32.exe	Mfeeabda.exe
File created	C:\Windows\SysWOW64\Njjdho32.exe	Ncqlkemc.exe
File created	C:\Windows\SysWOW64\Nflnbh32.dll	Cggimh32.exe
File opened for modification	C:\Windows\SysWOW64\Pplobcpp.exe	Pmnbfhal.exe
File created	C:\Windows\SysWOW64\Amjbbfgo.exe	Ahmjjoig.exe
File created	C:\Windows\SysWOW64\Lnangaoa.exe	Lggejg32.exe
File opened for modification	C:\Windows\SysWOW64\Cocjiehd.exe	Cglbhhga.exe
File created	C:\Windows\SysWOW64\Mglpdp32.dll	Kcidmkpq.exe
File created	C:\Windows\SysWOW64\Ngjkfd32.exe	Nqpcjj32.exe
File created	C:\Windows\SysWOW64\Pnjbcghk.dll	Jcoaglhk.exe
File created	C:\Windows\SysWOW64\Mqnbqh32.dll	Bhpofl32.exe
File opened for modification	C:\Windows\SysWOW64\Dgeenfog.exe	Dpkmal32.exe
File opened for modification	C:\Windows\SysWOW64\Hbohpn32.exe	Hfhgkmpj.exe
File created	C:\Windows\SysWOW64\Mnjqmpgg.exe	Mgphpe32.exe
File created	C:\Windows\SysWOW64\Dbdjofbi.dll	Ppjbmc32.exe
File created	C:\Windows\SysWOW64\Mgmodn32.dll	Bkgeainn.exe
File created	C:\Windows\SysWOW64\Ggmkff32.dll	Jilfifme.exe
File opened for modification	C:\Windows\SysWOW64\Pnifekmd.exe	Phonha32.exe
File opened for modification	C:\Windows\SysWOW64\Ahaceo32.exe	Aagkhd32.exe
File opened for modification	C:\Windows\SysWOW64\Apodoq32.exe	Aonhghjl.exe
File created	C:\Windows\SysWOW64\Ncpgam32.dll	Llmhaold.exe
File created	C:\Windows\SysWOW64\Idefqiag.dll	Lcgpni32.exe
File created	C:\Windows\SysWOW64\Fidhnlin.dll	Phonha32.exe
File created	C:\Windows\SysWOW64\Bmijpchc.dll	Aokkahlo.exe
File opened for modification	C:\Windows\SysWOW64\Qfmmplad.exe	Qpcecb32.exe
File created	C:\Windows\SysWOW64\Ghkogl32.dll	Mokmdh32.exe
File opened for modification	C:\Windows\SysWOW64\Pffgom32.exe	Pplobcpp.exe
File created	C:\Windows\SysWOW64\Gelfeh32.dll	Dafppp32.exe
File created	C:\Windows\SysWOW64\Fbjieo32.dll	Baannc32.exe
File created	C:\Windows\SysWOW64\Koodbl32.exe	Kjblje32.exe
File created	C:\Windows\SysWOW64\Qacameaj.exe	Qodeajbg.exe
File created	C:\Windows\SysWOW64\Adcjop32.exe	Amjbbfgo.exe
File created	C:\Windows\SysWOW64\Aajhndkb.exe	Aokkahlo.exe
File opened for modification	C:\Windows\SysWOW64\Jpcapp32.exe	Jcoaglhk.exe
File created	C:\Windows\SysWOW64\Kcidmkpq.exe	Jedccfqg.exe
File created	C:\Windows\SysWOW64\Oplfkeob.exe	Onkidm32.exe
File created	C:\Windows\SysWOW64\Godcje32.dll	Qpcecb32.exe
File opened for modification	C:\Windows\SysWOW64\Cgqlcg32.exe	Cpfcfmlp.exe
File created	C:\Windows\SysWOW64\Jcknij32.dll	Dpkmal32.exe
File opened for modification	C:\Windows\SysWOW64\Hidgai32.exe	Hfcnpn32.exe
File opened for modification	C:\Windows\SysWOW64\Monjjgkb.exe	Mmpmnl32.exe
File created	C:\Windows\SysWOW64\Ckkpjkai.dll	Nadleilm.exe
File created	C:\Windows\SysWOW64\Ohlqcagj.exe	Omgmeigd.exe
File created	C:\Windows\SysWOW64\Jiglnf32.exe	Ieidhh32.exe
File created	C:\Windows\SysWOW64\Mgphpe32.exe	Moipoh32.exe
File created	C:\Windows\SysWOW64\Ifomef32.dll	Opnbae32.exe
File opened for modification	C:\Windows\SysWOW64\Pdjgha32.exe	Pmpolgoi.exe
File created	C:\Windows\SysWOW64\Afakoidm.dll	Ipjoja32.exe
File created	C:\Windows\SysWOW64\Kioghlbd.dll	Qacameaj.exe
File created	C:\Windows\SysWOW64\Gemkelcd.exe	Gblbca32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6360	6276	WerFault.exe	256

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onkidm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aajhndkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bacjdbch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hfhgkmpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Illfdc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jpcapp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jcdjbk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mnjqmpgg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdimqm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckjknfnh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gnepna32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hfcnpn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lcgpni32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Moipoh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmpolgoi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klcekpdo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ljnlecmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngjkfd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdmdnadc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afbgkl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpfcfmlp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klhnfo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kjlopc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mogcihaj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opclldhj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmblagmf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mfeeabda.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Monjjgkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nmbjcljl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fligqhga.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ipjoja32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ljqhkckn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lnangaoa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mnhdgpii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ombcji32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkibgh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnlhncgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dafppp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ennqfenp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfmmplad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahmjjoig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkphhgfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0517d55470df3590c88f39d41a416047.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deqcbpld.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kjblje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lqkqhm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnfiplog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdfpkm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ieidhh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njjdho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opnbae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adcjop32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aoioli32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ibaeen32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfaemp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Epmmqheb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lcimdh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ljceqb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfkqjmdg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opqofe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofkgcobj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aopemh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eeelnp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jiglnf32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adnbpqkj.dll"	Bacjdbch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olaafabl.dll"	Cnaaib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cgqlcg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hidgai32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lcdciiec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mogcihaj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mnjqmpgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gehbjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pdjgha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lobjni32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjdbkbbn.dll"	Kcmmhj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmijpchc.dll"	Aokkahlo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aonhghjl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bdagpnbk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ieidhh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Deqcbpld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kjlopc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ngjkfd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qedegh32.dll"	Ofkgcobj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aajhndkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpefcn32.dll"	Ieidhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeccjdie.dll"	Klhnfo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Oplfkeob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jponoqjl.dll"	Pnifekmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eignjamf.dll"	Adcjop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fomnhddq.dll"	Cnhgjaml.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kflide32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffiipfmi.dll"	Emanjldl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mmpmnl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfgomdnj.dll"	Amjbbfgo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bklomh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ckjknfnh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mnhdgpii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cdimqm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehmjob32.dll"	Lobjni32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fidhnlin.dll"	Phonha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cponen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egljbmnm.dll"	Dkceokii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Godcje32.dll"	Qpcecb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Aokkahlo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bdmmeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kcpjnjii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lnangaoa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nfaemp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ngqagcag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjamidgd.dll"	Afbgkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bhkfkmmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bljlpjaf.dll"	Bdagpnbk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dllfqd32.dll"	Dgcihgaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhjmpfcl.dll"	Dfiildio.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ljqhkckn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lobjni32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bdfpkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ennamn32.dll"	Cgqlcg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nqdmimbf.dll"	Gnepna32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfjnfknb.dll"	Mogcihaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lngqkhda.dll"	Pffgom32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fpkibf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jedccfqg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cnjdpaki.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gimqajgh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pmnbfhal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eepmqdbn.dll"	Ahmjjoig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cncnob32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4080 wrote to memory of 3208	4080	0517d55470df3590c88f39d41a416047.exe	89
PID 4080 wrote to memory of 3208	4080	0517d55470df3590c88f39d41a416047.exe	89
PID 4080 wrote to memory of 3208	4080	0517d55470df3590c88f39d41a416047.exe	89
PID 3208 wrote to memory of 2944	3208	Dkceokii.exe	90
PID 3208 wrote to memory of 2944	3208	Dkceokii.exe	90
PID 3208 wrote to memory of 2944	3208	Dkceokii.exe	90
PID 2944 wrote to memory of 232	2944	Dfiildio.exe	91
PID 2944 wrote to memory of 232	2944	Dfiildio.exe	91
PID 2944 wrote to memory of 232	2944	Dfiildio.exe	91
PID 232 wrote to memory of 4516	232	Dbbffdlq.exe	92
PID 232 wrote to memory of 4516	232	Dbbffdlq.exe	92
PID 232 wrote to memory of 4516	232	Dbbffdlq.exe	92
PID 4516 wrote to memory of 4752	4516	Deqcbpld.exe	93
PID 4516 wrote to memory of 4752	4516	Deqcbpld.exe	93
PID 4516 wrote to memory of 4752	4516	Deqcbpld.exe	93
PID 4752 wrote to memory of 1500	4752	Eeelnp32.exe	94
PID 4752 wrote to memory of 1500	4752	Eeelnp32.exe	94
PID 4752 wrote to memory of 1500	4752	Eeelnp32.exe	94
PID 1500 wrote to memory of 1936	1500	Ennqfenp.exe	95
PID 1500 wrote to memory of 1936	1500	Ennqfenp.exe	95
PID 1500 wrote to memory of 1936	1500	Ennqfenp.exe	95
PID 1936 wrote to memory of 3604	1936	Epmmqheb.exe	96
PID 1936 wrote to memory of 3604	1936	Epmmqheb.exe	96
PID 1936 wrote to memory of 3604	1936	Epmmqheb.exe	96
PID 3604 wrote to memory of 4836	3604	Emanjldl.exe	97
PID 3604 wrote to memory of 4836	3604	Emanjldl.exe	97
PID 3604 wrote to memory of 4836	3604	Emanjldl.exe	97
PID 4836 wrote to memory of 4068	4836	Enbjad32.exe	98
PID 4836 wrote to memory of 4068	4836	Enbjad32.exe	98
PID 4836 wrote to memory of 4068	4836	Enbjad32.exe	98
PID 4068 wrote to memory of 2912	4068	Fligqhga.exe	99
PID 4068 wrote to memory of 2912	4068	Fligqhga.exe	99
PID 4068 wrote to memory of 2912	4068	Fligqhga.exe	99
PID 2912 wrote to memory of 2024	2912	Ffqhcq32.exe	100
PID 2912 wrote to memory of 2024	2912	Ffqhcq32.exe	100
PID 2912 wrote to memory of 2024	2912	Ffqhcq32.exe	100
PID 2024 wrote to memory of 1972	2024	Ffceip32.exe	101
PID 2024 wrote to memory of 1972	2024	Ffceip32.exe	101
PID 2024 wrote to memory of 1972	2024	Ffceip32.exe	101
PID 1972 wrote to memory of 1912	1972	Fpkibf32.exe	102
PID 1972 wrote to memory of 1912	1972	Fpkibf32.exe	102
PID 1972 wrote to memory of 1912	1972	Fpkibf32.exe	102
PID 1912 wrote to memory of 4756	1912	Gehbjm32.exe	103
PID 1912 wrote to memory of 4756	1912	Gehbjm32.exe	103
PID 1912 wrote to memory of 4756	1912	Gehbjm32.exe	103
PID 4756 wrote to memory of 1064	4756	Gblbca32.exe	104
PID 4756 wrote to memory of 1064	4756	Gblbca32.exe	104
PID 4756 wrote to memory of 1064	4756	Gblbca32.exe	104
PID 1064 wrote to memory of 3980	1064	Gemkelcd.exe	105
PID 1064 wrote to memory of 3980	1064	Gemkelcd.exe	105
PID 1064 wrote to memory of 3980	1064	Gemkelcd.exe	105
PID 3980 wrote to memory of 4456	3980	Gnepna32.exe	106
PID 3980 wrote to memory of 4456	3980	Gnepna32.exe	106
PID 3980 wrote to memory of 4456	3980	Gnepna32.exe	106
PID 4456 wrote to memory of 3344	4456	Gimqajgh.exe	107
PID 4456 wrote to memory of 3344	4456	Gimqajgh.exe	107
PID 4456 wrote to memory of 3344	4456	Gimqajgh.exe	107
PID 3344 wrote to memory of 560	3344	Hipmfjee.exe	108
PID 3344 wrote to memory of 560	3344	Hipmfjee.exe	108
PID 3344 wrote to memory of 560	3344	Hipmfjee.exe	108
PID 560 wrote to memory of 1940	560	Hfcnpn32.exe	109
PID 560 wrote to memory of 1940	560	Hfcnpn32.exe	109
PID 560 wrote to memory of 1940	560	Hfcnpn32.exe	109
PID 1940 wrote to memory of 2836	1940	Hidgai32.exe	110

C:\Users\Admin\AppData\Local\Temp\VirusSign.2023.11.29\0517d55470df3590c88f39d41a416047.exe
"C:\Users\Admin\AppData\Local\Temp\VirusSign.2023.11.29\0517d55470df3590c88f39d41a416047.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4080
- C:\Windows\SysWOW64\Dkceokii.exe
  C:\Windows\system32\Dkceokii.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3208
- - C:\Windows\SysWOW64\Dfiildio.exe
    C:\Windows\system32\Dfiildio.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2944
  - - C:\Windows\SysWOW64\Dbbffdlq.exe
      C:\Windows\system32\Dbbffdlq.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:232
    - - C:\Windows\SysWOW64\Deqcbpld.exe
        
        C:\Windows\system32\Deqcbpld.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4516
      - C:\Windows\SysWOW64\Eeelnp32.exe
        
        C:\Windows\system32\Eeelnp32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4752
        
        C:\Windows\SysWOW64\Ennqfenp.exe
        
        C:\Windows\system32\Ennqfenp.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1500
        
        C:\Windows\SysWOW64\Epmmqheb.exe
        
        C:\Windows\system32\Epmmqheb.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1936
        
        C:\Windows\SysWOW64\Emanjldl.exe
        
        C:\Windows\system32\Emanjldl.exe
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3604
        
        C:\Windows\SysWOW64\Enbjad32.exe
        
        C:\Windows\system32\Enbjad32.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4836
        
        C:\Windows\SysWOW64\Fligqhga.exe
        
        C:\Windows\system32\Fligqhga.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4068
        
        C:\Windows\SysWOW64\Ffqhcq32.exe
        
        C:\Windows\system32\Ffqhcq32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2912
        
        C:\Windows\SysWOW64\Ffceip32.exe
        
        C:\Windows\system32\Ffceip32.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2024
        
        C:\Windows\SysWOW64\Fpkibf32.exe
        
        C:\Windows\system32\Fpkibf32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1972
        
        C:\Windows\SysWOW64\Gehbjm32.exe
        
        C:\Windows\system32\Gehbjm32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1912
        
        C:\Windows\SysWOW64\Gblbca32.exe
        
        C:\Windows\system32\Gblbca32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4756
        
        C:\Windows\SysWOW64\Gemkelcd.exe
        
        C:\Windows\system32\Gemkelcd.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1064
        
        C:\Windows\SysWOW64\Gnepna32.exe
        
        C:\Windows\system32\Gnepna32.exe
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3980
        
        C:\Windows\SysWOW64\Gimqajgh.exe
        
        C:\Windows\system32\Gimqajgh.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4456
        
        C:\Windows\SysWOW64\Hipmfjee.exe
        
        C:\Windows\system32\Hipmfjee.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3344
        
        C:\Windows\SysWOW64\Hfcnpn32.exe
        
        C:\Windows\system32\Hfcnpn32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:560
        
        C:\Windows\SysWOW64\Hidgai32.exe
        
        C:\Windows\system32\Hidgai32.exe
        22⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1940
        
        C:\Windows\SysWOW64\Hfhgkmpj.exe
        
        C:\Windows\system32\Hfhgkmpj.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2836
        
        C:\Windows\SysWOW64\Hbohpn32.exe
        
        C:\Windows\system32\Hbohpn32.exe
        24⤵
        Executes dropped EXE
        
        PID:4444
        
        C:\Windows\SysWOW64\Ibaeen32.exe
        
        C:\Windows\system32\Ibaeen32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1584
        
        C:\Windows\SysWOW64\Ipeeobbe.exe
        
        C:\Windows\system32\Ipeeobbe.exe
        26⤵
        Executes dropped EXE
        
        PID:2512
        
        C:\Windows\SysWOW64\Illfdc32.exe
        
        C:\Windows\system32\Illfdc32.exe
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1004
        
        C:\Windows\SysWOW64\Ipjoja32.exe
        
        C:\Windows\system32\Ipjoja32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1636
        
        C:\Windows\SysWOW64\Ieidhh32.exe
        
        C:\Windows\system32\Ieidhh32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2236
        
        C:\Windows\SysWOW64\Jiglnf32.exe
        
        C:\Windows\system32\Jiglnf32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4136
        
        C:\Windows\SysWOW64\Jcoaglhk.exe
        
        C:\Windows\system32\Jcoaglhk.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1808
        
        C:\Windows\SysWOW64\Jpcapp32.exe
        
        C:\Windows\system32\Jpcapp32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2080
        
        C:\Windows\SysWOW64\Jilfifme.exe
        
        C:\Windows\system32\Jilfifme.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1020
        
        C:\Windows\SysWOW64\Jcdjbk32.exe
        
        C:\Windows\system32\Jcdjbk32.exe
        34⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4988
        
        C:\Windows\SysWOW64\Jphkkpbp.exe
        
        C:\Windows\system32\Jphkkpbp.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1524
        
        C:\Windows\SysWOW64\Jedccfqg.exe
        
        C:\Windows\system32\Jedccfqg.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3168
        
        C:\Windows\SysWOW64\Kcidmkpq.exe
        
        C:\Windows\system32\Kcidmkpq.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3216
        
        C:\Windows\SysWOW64\Kjblje32.exe
        
        C:\Windows\system32\Kjblje32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:576
        
        C:\Windows\SysWOW64\Koodbl32.exe
        
        C:\Windows\system32\Koodbl32.exe
        39⤵
        Executes dropped EXE
        
        PID:1740
        
        C:\Windows\SysWOW64\Kgflcifg.exe
        
        C:\Windows\system32\Kgflcifg.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4964
        
        C:\Windows\SysWOW64\Klcekpdo.exe
        
        C:\Windows\system32\Klcekpdo.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4176
        
        C:\Windows\SysWOW64\Kcmmhj32.exe
        
        C:\Windows\system32\Kcmmhj32.exe
        42⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3196
        
        C:\Windows\SysWOW64\Kflide32.exe
        
        C:\Windows\system32\Kflide32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1712
        
        C:\Windows\SysWOW64\Klfaapbl.exe
        
        C:\Windows\system32\Klfaapbl.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2504
        
        C:\Windows\SysWOW64\Kcpjnjii.exe
        
        C:\Windows\system32\Kcpjnjii.exe
        45⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1204
        
        C:\Windows\SysWOW64\Kjjbjd32.exe
        
        C:\Windows\system32\Kjjbjd32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:764
        
        C:\Windows\SysWOW64\Klhnfo32.exe
        
        C:\Windows\system32\Klhnfo32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1144
        
        C:\Windows\SysWOW64\Kcbfcigf.exe
        
        C:\Windows\system32\Kcbfcigf.exe
        48⤵
        Executes dropped EXE
        
        PID:4240
        
        C:\Windows\SysWOW64\Kjlopc32.exe
        
        C:\Windows\system32\Kjlopc32.exe
        49⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2100
        
        C:\Windows\SysWOW64\Lljklo32.exe
        
        C:\Windows\system32\Lljklo32.exe
        50⤵
        Executes dropped EXE
        
        PID:236
        
        C:\Windows\SysWOW64\Lcdciiec.exe
        
        C:\Windows\system32\Lcdciiec.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3580
        
        C:\Windows\SysWOW64\Ljnlecmp.exe
        
        C:\Windows\system32\Ljnlecmp.exe
        52⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4984
        
        C:\Windows\SysWOW64\Llmhaold.exe
        
        C:\Windows\system32\Llmhaold.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1012
        
        C:\Windows\SysWOW64\Lcgpni32.exe
        
        C:\Windows\system32\Lcgpni32.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:888
        
        C:\Windows\SysWOW64\Ljqhkckn.exe
        
        C:\Windows\system32\Ljqhkckn.exe
        55⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:812
        
        C:\Windows\SysWOW64\Lqkqhm32.exe
        
        C:\Windows\system32\Lqkqhm32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2584
        
        C:\Windows\SysWOW64\Lcimdh32.exe
        
        C:\Windows\system32\Lcimdh32.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2884
        
        C:\Windows\SysWOW64\Ljceqb32.exe
        
        C:\Windows\system32\Ljceqb32.exe
        58⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3792
        
        C:\Windows\SysWOW64\Lqmmmmph.exe
        
        C:\Windows\system32\Lqmmmmph.exe
        59⤵
        Executes dropped EXE
        
        PID:2040
        
        C:\Windows\SysWOW64\Lggejg32.exe
        
        C:\Windows\system32\Lggejg32.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:412
        
        C:\Windows\SysWOW64\Lnangaoa.exe
        
        C:\Windows\system32\Lnangaoa.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2332
        
        C:\Windows\SysWOW64\Lobjni32.exe
        
        C:\Windows\system32\Lobjni32.exe
        62⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4772
        
        C:\Windows\SysWOW64\Lncjlq32.exe
        
        C:\Windows\system32\Lncjlq32.exe
        63⤵
        Executes dropped EXE
        
        PID:4064
        
        C:\Windows\SysWOW64\Mogcihaj.exe
        
        C:\Windows\system32\Mogcihaj.exe
        64⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3360
        
        C:\Windows\SysWOW64\Mnhdgpii.exe
        
        C:\Windows\system32\Mnhdgpii.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5028
        
        C:\Windows\SysWOW64\Moipoh32.exe
        
        C:\Windows\system32\Moipoh32.exe
        66⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1160
        
        C:\Windows\SysWOW64\Mgphpe32.exe
        
        C:\Windows\system32\Mgphpe32.exe
        67⤵
        Drops file in System32 directory
        
        PID:1884
        
        C:\Windows\SysWOW64\Mnjqmpgg.exe
        
        C:\Windows\system32\Mnjqmpgg.exe
        68⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1124
        
        C:\Windows\SysWOW64\Mokmdh32.exe
        
        C:\Windows\system32\Mokmdh32.exe
        69⤵
        Drops file in System32 directory
        
        PID:1588
        
        C:\Windows\SysWOW64\Mfeeabda.exe
        
        C:\Windows\system32\Mfeeabda.exe
        70⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2608
        
        C:\Windows\SysWOW64\Mmpmnl32.exe
        
        C:\Windows\system32\Mmpmnl32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3032
        
        C:\Windows\SysWOW64\Monjjgkb.exe
        
        C:\Windows\system32\Monjjgkb.exe
        72⤵
        System Location Discovery: System Language Discovery
        
        PID:4808
        
        C:\Windows\SysWOW64\Mfhbga32.exe
        
        C:\Windows\system32\Mfhbga32.exe
        73⤵
        
        PID:3720
        
        C:\Windows\SysWOW64\Nmbjcljl.exe
        
        C:\Windows\system32\Nmbjcljl.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:116
        
        C:\Windows\SysWOW64\Nopfpgip.exe
        
        C:\Windows\system32\Nopfpgip.exe
        75⤵
        Drops file in System32 directory
        
        PID:1804
        
        C:\Windows\SysWOW64\Njfkmphe.exe
        
        C:\Windows\system32\Njfkmphe.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3760
        
        C:\Windows\SysWOW64\Nqpcjj32.exe
        
        C:\Windows\system32\Nqpcjj32.exe
        77⤵
        Drops file in System32 directory
        
        PID:2716
        
        C:\Windows\SysWOW64\Ngjkfd32.exe
        
        C:\Windows\system32\Ngjkfd32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1648
        
        C:\Windows\SysWOW64\Njhgbp32.exe
        
        C:\Windows\system32\Njhgbp32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1116
        
        C:\Windows\SysWOW64\Ncqlkemc.exe
        
        C:\Windows\system32\Ncqlkemc.exe
        80⤵
        Drops file in System32 directory
        
        PID:852
        
        C:\Windows\SysWOW64\Njjdho32.exe
        
        C:\Windows\system32\Njjdho32.exe
        81⤵
        System Location Discovery: System Language Discovery
        
        PID:2960
        
        C:\Windows\SysWOW64\Nadleilm.exe
        
        C:\Windows\system32\Nadleilm.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4320
        
        C:\Windows\SysWOW64\Nfaemp32.exe
        
        C:\Windows\system32\Nfaemp32.exe
        83⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1252
        
        C:\Windows\SysWOW64\Nmkmjjaa.exe
        
        C:\Windows\system32\Nmkmjjaa.exe
        84⤵
        
        PID:4024
        
        C:\Windows\SysWOW64\Ngqagcag.exe
        
        C:\Windows\system32\Ngqagcag.exe
        85⤵
        Modifies registry class
        
        PID:5048
        
        C:\Windows\SysWOW64\Onkidm32.exe
        
        C:\Windows\system32\Onkidm32.exe
        86⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1672
        
        C:\Windows\SysWOW64\Oplfkeob.exe
        
        C:\Windows\system32\Oplfkeob.exe
        87⤵
        Modifies registry class
        
        PID:4384
        
        C:\Windows\SysWOW64\Onmfimga.exe
        
        C:\Windows\system32\Onmfimga.exe
        88⤵
        
        PID:1428
        
        C:\Windows\SysWOW64\Opnbae32.exe
        
        C:\Windows\system32\Opnbae32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4404
        
        C:\Windows\SysWOW64\Ofhknodl.exe
        
        C:\Windows\system32\Ofhknodl.exe
        90⤵
        
        PID:64
        
        C:\Windows\SysWOW64\Ombcji32.exe
        
        C:\Windows\system32\Ombcji32.exe
        91⤵
        System Location Discovery: System Language Discovery
        
        PID:4768
        
        C:\Windows\SysWOW64\Opqofe32.exe
        
        C:\Windows\system32\Opqofe32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2032
        
        C:\Windows\SysWOW64\Ofkgcobj.exe
        
        C:\Windows\system32\Ofkgcobj.exe
        93⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1600
        
        C:\Windows\SysWOW64\Omdppiif.exe
        
        C:\Windows\system32\Omdppiif.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2172
        
        C:\Windows\SysWOW64\Opclldhj.exe
        
        C:\Windows\system32\Opclldhj.exe
        95⤵
        System Location Discovery: System Language Discovery
        
        PID:4484
        
        C:\Windows\SysWOW64\Ojhpimhp.exe
        
        C:\Windows\system32\Ojhpimhp.exe
        96⤵
        
        PID:4296
        
        C:\Windows\SysWOW64\Omgmeigd.exe
        
        C:\Windows\system32\Omgmeigd.exe
        97⤵
        Drops file in System32 directory
        
        PID:3540
        
        C:\Windows\SysWOW64\Ohlqcagj.exe
        
        C:\Windows\system32\Ohlqcagj.exe
        98⤵
        
        PID:4700
        
        C:\Windows\SysWOW64\Pjkmomfn.exe
        
        C:\Windows\system32\Pjkmomfn.exe
        99⤵
        
        PID:4156
        
        C:\Windows\SysWOW64\Pnfiplog.exe
        
        C:\Windows\system32\Pnfiplog.exe
        100⤵
        System Location Discovery: System Language Discovery
        
        PID:4872
        
        C:\Windows\SysWOW64\Phonha32.exe
        
        C:\Windows\system32\Phonha32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4480
        
        C:\Windows\SysWOW64\Pnifekmd.exe
        
        C:\Windows\system32\Pnifekmd.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2496
        
        C:\Windows\SysWOW64\Ppjbmc32.exe
        
        C:\Windows\system32\Ppjbmc32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5128
        
        C:\Windows\SysWOW64\Phajna32.exe
        
        C:\Windows\system32\Phajna32.exe
        104⤵
        
        PID:5164
        
        C:\Windows\SysWOW64\Pmnbfhal.exe
        
        C:\Windows\system32\Pmnbfhal.exe
        105⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5200
        
        C:\Windows\SysWOW64\Pplobcpp.exe
        
        C:\Windows\system32\Pplobcpp.exe
        106⤵
        Drops file in System32 directory
        
        PID:5236
        
        C:\Windows\SysWOW64\Pffgom32.exe
        
        C:\Windows\system32\Pffgom32.exe
        107⤵
        Modifies registry class
        
        PID:5272
        
        C:\Windows\SysWOW64\Pmpolgoi.exe
        
        C:\Windows\system32\Pmpolgoi.exe
        108⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5308
        
        C:\Windows\SysWOW64\Pdjgha32.exe
        
        C:\Windows\system32\Pdjgha32.exe
        109⤵
        Modifies registry class
        
        PID:5344
        
        C:\Windows\SysWOW64\Pjdpelnc.exe
        
        C:\Windows\system32\Pjdpelnc.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5380
        
        C:\Windows\SysWOW64\Pmblagmf.exe
        
        C:\Windows\system32\Pmblagmf.exe
        111⤵
        System Location Discovery: System Language Discovery
        
        PID:5416
        
        C:\Windows\SysWOW64\Pdmdnadc.exe
        
        C:\Windows\system32\Pdmdnadc.exe
        112⤵
        System Location Discovery: System Language Discovery
        
        PID:5452
        
        C:\Windows\SysWOW64\Qfkqjmdg.exe
        
        C:\Windows\system32\Qfkqjmdg.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5488
        
        C:\Windows\SysWOW64\Qobhkjdi.exe
        
        C:\Windows\system32\Qobhkjdi.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5524
        
        C:\Windows\SysWOW64\Qpcecb32.exe
        
        C:\Windows\system32\Qpcecb32.exe
        115⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5560
        
        C:\Windows\SysWOW64\Qfmmplad.exe
        
        C:\Windows\system32\Qfmmplad.exe
        116⤵
        System Location Discovery: System Language Discovery
        
        PID:5596
        
        C:\Windows\SysWOW64\Qodeajbg.exe
        
        C:\Windows\system32\Qodeajbg.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5636
        
        C:\Windows\SysWOW64\Qacameaj.exe
        
        C:\Windows\system32\Qacameaj.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5672
        
        C:\Windows\SysWOW64\Ahmjjoig.exe
        
        C:\Windows\system32\Ahmjjoig.exe
        119⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5708
        
        C:\Windows\SysWOW64\Amjbbfgo.exe
        
        C:\Windows\system32\Amjbbfgo.exe
        120⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5744
        
        C:\Windows\SysWOW64\Adcjop32.exe
        
        C:\Windows\system32\Adcjop32.exe
        121⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5780
        
        C:\Windows\SysWOW64\Afbgkl32.exe
        
        C:\Windows\system32\Afbgkl32.exe
        122⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5816
        
        C:\Windows\SysWOW64\Aoioli32.exe
        
        C:\Windows\system32\Aoioli32.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5852
        
        C:\Windows\SysWOW64\Aagkhd32.exe
        
        C:\Windows\system32\Aagkhd32.exe
        124⤵
        Drops file in System32 directory
        
        PID:5892
        
        C:\Windows\SysWOW64\Ahaceo32.exe
        
        C:\Windows\system32\Ahaceo32.exe
        125⤵
        Drops file in System32 directory
        
        PID:5928
        
        C:\Windows\SysWOW64\Aokkahlo.exe
        
        C:\Windows\system32\Aokkahlo.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5964
        
        C:\Windows\SysWOW64\Aajhndkb.exe
        
        C:\Windows\system32\Aajhndkb.exe
        127⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6000
        
        C:\Windows\SysWOW64\Ahdpjn32.exe
        
        C:\Windows\system32\Ahdpjn32.exe
        128⤵
        
        PID:6036
        
        C:\Windows\SysWOW64\Aonhghjl.exe
        
        C:\Windows\system32\Aonhghjl.exe
        129⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6072
        
        C:\Windows\SysWOW64\Apodoq32.exe
        
        C:\Windows\system32\Apodoq32.exe
        130⤵
        
        PID:6108
        
        C:\Windows\SysWOW64\Ahfmpnql.exe
        
        C:\Windows\system32\Ahfmpnql.exe
        131⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\Aopemh32.exe
        
        C:\Windows\system32\Aopemh32.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5180
        
        C:\Windows\SysWOW64\Aaoaic32.exe
        
        C:\Windows\system32\Aaoaic32.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5248
        
        C:\Windows\SysWOW64\Bdmmeo32.exe
        
        C:\Windows\system32\Bdmmeo32.exe
        134⤵
        Modifies registry class
        
        PID:5316
        
        C:\Windows\SysWOW64\Bkgeainn.exe
        
        C:\Windows\system32\Bkgeainn.exe
        135⤵
        Drops file in System32 directory
        
        PID:5376
        
        C:\Windows\SysWOW64\Baannc32.exe
        
        C:\Windows\system32\Baannc32.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5432
        
        C:\Windows\SysWOW64\Bhkfkmmg.exe
        
        C:\Windows\system32\Bhkfkmmg.exe
        137⤵
        Modifies registry class
        
        PID:5500
        
        C:\Windows\SysWOW64\Bkibgh32.exe
        
        C:\Windows\system32\Bkibgh32.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5568
        
        C:\Windows\SysWOW64\Bacjdbch.exe
        
        C:\Windows\system32\Bacjdbch.exe
        139⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5628
        
        C:\Windows\SysWOW64\Bdagpnbk.exe
        
        C:\Windows\system32\Bdagpnbk.exe
        140⤵
        Modifies registry class
        
        PID:5700
        
        C:\Windows\SysWOW64\Bklomh32.exe
        
        C:\Windows\system32\Bklomh32.exe
        141⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5764
        
        C:\Windows\SysWOW64\Baegibae.exe
        
        C:\Windows\system32\Baegibae.exe
        142⤵
        
        PID:5828
        
        C:\Windows\SysWOW64\Bhpofl32.exe
        
        C:\Windows\system32\Bhpofl32.exe
        143⤵
        Drops file in System32 directory
        
        PID:5900
        
        C:\Windows\SysWOW64\Bknlbhhe.exe
        
        C:\Windows\system32\Bknlbhhe.exe
        144⤵
        
        PID:5960
        
        C:\Windows\SysWOW64\Bnlhncgi.exe
        
        C:\Windows\system32\Bnlhncgi.exe
        145⤵
        System Location Discovery: System Language Discovery
        
        PID:6028
        
        C:\Windows\SysWOW64\Bdfpkm32.exe
        
        C:\Windows\system32\Bdfpkm32.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6088
        
        C:\Windows\SysWOW64\Bkphhgfc.exe
        
        C:\Windows\system32\Bkphhgfc.exe
        147⤵
        System Location Discovery: System Language Discovery
        
        PID:5172
        
        C:\Windows\SysWOW64\Bnoddcef.exe
        
        C:\Windows\system32\Bnoddcef.exe
        148⤵
        
        PID:5284
        
        C:\Windows\SysWOW64\Cdimqm32.exe
        
        C:\Windows\system32\Cdimqm32.exe
        149⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5392
        
        C:\Windows\SysWOW64\Cggimh32.exe
        
        C:\Windows\system32\Cggimh32.exe
        150⤵
        Drops file in System32 directory
        
        PID:5520
        
        C:\Windows\SysWOW64\Cnaaib32.exe
        
        C:\Windows\system32\Cnaaib32.exe
        151⤵
        Modifies registry class
        
        PID:5620
        
        C:\Windows\SysWOW64\Cponen32.exe
        
        C:\Windows\system32\Cponen32.exe
        152⤵
        Modifies registry class
        
        PID:5740
        
        C:\Windows\SysWOW64\Ckebcg32.exe
        
        C:\Windows\system32\Ckebcg32.exe
        153⤵
        
        PID:5844
        
        C:\Windows\SysWOW64\Cncnob32.exe
        
        C:\Windows\system32\Cncnob32.exe
        154⤵
        Modifies registry class
        
        PID:5976
        
        C:\Windows\SysWOW64\Cdmfllhn.exe
        
        C:\Windows\system32\Cdmfllhn.exe
        155⤵
        
        PID:6084
        
        C:\Windows\SysWOW64\Cglbhhga.exe
        
        C:\Windows\system32\Cglbhhga.exe
        156⤵
        Drops file in System32 directory
        
        PID:5268
        
        C:\Windows\SysWOW64\Cocjiehd.exe
        
        C:\Windows\system32\Cocjiehd.exe
        157⤵
        
        PID:5472
        
        C:\Windows\SysWOW64\Cpdgqmnb.exe
        
        C:\Windows\system32\Cpdgqmnb.exe
        158⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5656
        
        C:\Windows\SysWOW64\Ckjknfnh.exe
        
        C:\Windows\system32\Ckjknfnh.exe
        159⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5888
        
        C:\Windows\SysWOW64\Cnhgjaml.exe
        
        C:\Windows\system32\Cnhgjaml.exe
        160⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6120
        
        C:\Windows\SysWOW64\Cpfcfmlp.exe
        
        C:\Windows\system32\Cpfcfmlp.exe
        161⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5424
        
        C:\Windows\SysWOW64\Cgqlcg32.exe
        
        C:\Windows\system32\Cgqlcg32.exe
        162⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5848
        
        C:\Windows\SysWOW64\Cnjdpaki.exe
        
        C:\Windows\system32\Cnjdpaki.exe
        163⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5304
        
        C:\Windows\SysWOW64\Dafppp32.exe
        
        C:\Windows\system32\Dafppp32.exe
        164⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5956
        
        C:\Windows\SysWOW64\Dgcihgaj.exe
        
        C:\Windows\system32\Dgcihgaj.exe
        165⤵
        Modifies registry class
        
        PID:5160
        
        C:\Windows\SysWOW64\Dojqjdbl.exe
        
        C:\Windows\system32\Dojqjdbl.exe
        166⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6164
        
        C:\Windows\SysWOW64\Dpkmal32.exe
        
        C:\Windows\system32\Dpkmal32.exe
        167⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6200
        
        C:\Windows\SysWOW64\Dgeenfog.exe
        
        C:\Windows\system32\Dgeenfog.exe
        168⤵
        
        PID:6236
        
        C:\Windows\SysWOW64\Dkqaoe32.exe
        
        C:\Windows\system32\Dkqaoe32.exe
        169⤵
        
        PID:6276
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6276 -s 448
        170⤵
        Program crash
        
        PID:6360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 256 -p 6276 -ip 6276
1⤵
PID:6340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Dbbffdlq.exe

Filesize
1.3MB

MD5
9a44a6ca3f99a01a0248486ec2e0b2c9

SHA1
1ef1c0c2db912c44b8119f16670494e642cf2df4

SHA256
654d350190a95a543775c12b6f60c6d2fac950fd8a5750dd9d96c3c2f4a10ca6

SHA512
d38b2bc069111448ab94b132009498dca7c6089775d75861094eac19b980dcaac49fb86a9156e759ccb5d7c2c191bae692a27a0d89167da6e5950f2cd777696b

Download Submit
C:\Windows\SysWOW64\Deqcbpld.exe

Filesize
1.3MB

MD5
92199eed0eff17bd29a335cbd1419cf4

SHA1
a2cfe64df018407f8fa8610e381bcabca4ca3511

SHA256
a872450c3852f4bc5e42d3a3e75503972fb5ed0c818f1a25b40de11d51ba0f19

SHA512
5d0c68e725048a9f7a4d968ae5454c47302dcaaa5e315bbe487273dce1cf72dc5453629dbaee6947bac118f316bd44503d82cfd1862d6f1b4898ae9fe03057e1

Download Submit
C:\Windows\SysWOW64\Dfiildio.exe

Filesize
1.3MB

MD5
78fe259967f1cda6732a6e1e5d5d3b2c

SHA1
6a72ab2b7d1a261e2322856f2afc85974b307c12

SHA256
9ff6c2efa3fa7202c3a3334be6184c023ae7525d5ded3a70a5d5ad8bf12e2b62

SHA512
50f6e2166fc067b25fd2ba4f1a52776dc63d76d101f1a3a436d6970ff5afbf684a5e27a95e717201c4fd005d307d187dcd73c6228cabcfb381c2371124c01650

Download Submit
C:\Windows\SysWOW64\Dkceokii.exe

Filesize
1.3MB

MD5
08fa76e71d542330653416e918671860

SHA1
d35e8af96a08314f11a144c824e91f451e9417eb

SHA256
4ebb756bebc18628015f93d3a6df3e7070dc71bf8ff4fa09b86ef766e0981098

SHA512
d499c3d3d9381f42412688374f0ce0774c08ba9aadd1586ee985c9273355474679306ab4f2a7fdc8513d0512bee11b76c02281ea10135bd65ae5b61b83ad9373

Download Submit
C:\Windows\SysWOW64\Eeelnp32.exe

Filesize
1.3MB

MD5
6f1e837c0f14aff00546b360013deeed

SHA1
3dae96ef0c2f7e344ce3ca81f38f1299a3192c25

SHA256
f082f3ee4b9c1f26aaca6356e4f98fbf8e40fe257a7f4825cc5b8c347a91c088

SHA512
78c39d3a99f7395bc781ab0e3cb8530e985258e7ac67fa510b75df890920067ad702a6ecc701351b2a8d20370f98ac977ad0b8bd6b0b265701f46f3e96f3434a

Download Submit
C:\Windows\SysWOW64\Emanjldl.exe

Filesize
1.3MB

MD5
bb332bf2dd30416f751768c159dc6454

SHA1
97831d2227b3e9ac25d82242599ca646a794f83e

SHA256
3dfc6330b7b1f359d7c109cb79126b86c0e9f180cbb1cd795ce01e5cdee66042

SHA512
2b19f67bfabd1f83e9a5d729e70a563261a66922c8374e12b3e5bc4a05f9ad48a9856705c1e12e428b88f4b02929db59c272f22d8a6a82d9dc4b3047796ba5bc

Download Submit
C:\Windows\SysWOW64\Enbjad32.exe

Filesize
1.3MB

MD5
f905990cae2bb9e0e0f5c25666ed6dc7

SHA1
945ced8ff499ef779b5e77b1ef52dbea21af0920

SHA256
c85c61120ea5ec07d7b5109e01e1f3052fca3e5265da20a0f43ac4a457ba5e95

SHA512
cc7abf0d3d3119eb8ebe9060fabf2bef3a5c743ed88666f13dc28fd69de9c3831a7d78475de4ff590bdd80a278a82b9ae2b0fcdbfc8d573f1d6df2e95c19abc3

Download Submit
C:\Windows\SysWOW64\Ennqfenp.exe

Filesize
1.3MB

MD5
4c1d795c28de4ef69b3a2cd2b5dbd505

SHA1
7e735edc1cae8eaf36974901300a25a564c555bd

SHA256
61e7b7b05f354053734479cd5ca44de2309ec3fc900c0c7f8024a446ccb0639a

SHA512
25af75aa2f7392f9cddae565fea0542b8fd7dcbe44b42661e6449300af0e9b8dc1379ed7cbe7665a9ec0f1020a0a99cddeb5b66640db43e0724eb52f7e8b352b

Download Submit
C:\Windows\SysWOW64\Epmmqheb.exe

Filesize
1.3MB

MD5
cdc1acc8fb61b22c5ff3f64c25789a12

SHA1
176f5137a58656908f1cfc024d33eab4f3271fe2

SHA256
412e02554fc7ed2acb5f3926020e6cb09c829673092c67f41db6f99abd56a043

SHA512
95e9c25ddbfe9d7802ff171a3b52bf2c9f9a1d1bedece2906dea0494bc0e78165f72c76006b425723e8687430973ec59f43515bbe2fc76d937206d23b532c6cb

Download Submit
C:\Windows\SysWOW64\Ffceip32.exe

Filesize
1.3MB

MD5
839b881fe96e3391b3a09363aa7dad6f

SHA1
ee2f66ed31d4a0bf3921538cd09862a41de50ff2

SHA256
2465be9da8734b9cc82598f22f9e6321a9bce5e964d88085185bf6496d037d0e

SHA512
ae4fed45e7b5b960981a66e5cc40cc117ef1ebc05c9252e1e6f5dc73fbab9340f8fb76c9bedfbb5ee386293b96e62ef829ec8dd4a95fab5f120db2822f9a7f5e

Download Submit
C:\Windows\SysWOW64\Ffqhcq32.exe

Filesize
1.3MB

MD5
0db95630a0208c09f5e433522913ba1e

SHA1
0751a4ffcd286547e1477d9bb686086fffc565d4

SHA256
d426391bce7c62fadff31b79d1255364efacbb0fbd03342d5fed5335a76cc669

SHA512
8ed4c9e701c175c31de26f6a3bdbf7d660771c963ea6eac31ea21478989674fe60553d263046efed54a6af2550d467e45f96600bf88e7c1a2d50edb3e14bfb07

Download Submit
C:\Windows\SysWOW64\Fligqhga.exe

Filesize
1.3MB

MD5
db42c63719c8587a034a8d9495795618

SHA1
b197cde0c577f938e956c75197ba8fe0ade10577

SHA256
1dc35c8215a2c7b30561e50a2148e59d3e9ecbf654c42686a0f77bb09e06c3fa

SHA512
ea7ed6948eaacb17ec1228eab36427be7df5b53235a7d5d188990418e81987b19368d469ee6e8c183ee3f40b53aff4ac26eacf8b6862bbd9db60238b7dae3716

Download Submit
C:\Windows\SysWOW64\Fpkibf32.exe

Filesize
1.3MB

MD5
0c63d489e8c0c115b9bde426643e3905

SHA1
1010cd9920854bd93c2d8aaf72144b2fc7910d6d

SHA256
d82de7d9a490a680a509bdf7a1204185ad2b27caac4a8dd096339fed26465594

SHA512
20cb570da5ceea52ba19f780180b3214997856541818437f1b20297b781c997e0e5a9468e4c726ec1f587e026c5a7c0d9a7ee0dd9101290bf1c66e07ca90202f

Download Submit
C:\Windows\SysWOW64\Gblbca32.exe

Filesize
1.3MB

MD5
f099991e874f3c8f6f9f57028b34d406

SHA1
5133a1e337d9dc790267be06ca07790ffd2bd439

SHA256
91b12597c54b9279c80589c53c200c50e1a76b17a547885c0f08a707817b3a8e

SHA512
b980dafb92dde30420701bf92946d962f524826a04fafb231b96e82604269758a88b00a2c3fe9ffde1399aa0dba10e8bb70b5c13286e99f1f1cb19306de17a5c

Download Submit
C:\Windows\SysWOW64\Gehbjm32.exe

Filesize
1.3MB

MD5
374241802d6e40713095b3aa4a27e36c

SHA1
4ba5422fca7f91b1e1ba47db5b1ddc7e7e030011

SHA256
3192f11516c13bc1a069eeb97d87631e21f6db45b44de859a7c0e55b96e18d0b

SHA512
2c28049a6d8f6630cd24200c419700fd4d6d11992c063a5985529ba1fe80eb611f617d4604f7b05272721bd27ac52072b133cf999c66a1c8c404f2ea468e868a

Download Submit
C:\Windows\SysWOW64\Gemkelcd.exe

Filesize
1.3MB

MD5
92ff2862ffed80ec78c672daa19d51f9

SHA1
0c161eab4c36c89354b4274843d572d812030aed

SHA256
9cee5759943d24e80333a77e41c034305b5e2b0dc1bd94b357dcc3b27cf7ff79

SHA512
ee92273917fd962727e419545ab4898b5adf7a1a3ae9171aa66aecd7229e1c014d8f6a6b9de26a0831ea272b0421b8ae8aec2a41226076718e28d55e6f808847

Download Submit
C:\Windows\SysWOW64\Ghcjeh32.dll

Filesize
7KB

MD5
bd6478cf47b246b12ac2162fde607ba3

SHA1
d6e8dc909c046b9ca5a2fea441837caa83f10e98

SHA256
d63335ab704794e4f866250901e290a9c78c974eff6ee4919f12e9955c71545f

SHA512
5c448b04ff3cfaa8c1a5ec6eb9d2f7ef9a23078418217701b10d92acad0a17b78d39ed4af3c7525d363c9ab1d93816e6d6989873bc0d34fa024bb54367f7e53f

Download Submit
C:\Windows\SysWOW64\Gimqajgh.exe

Filesize
1.3MB

MD5
2842474208013b70edcfa4a17c67238d

SHA1
7827adaa24c7761bf428cb7d6d5f46fbb0dae1c6

SHA256
d3635bd63a610bbf783af8954e4e000a77f4b458f35622501adbca79c1bf981e

SHA512
e9e5cf5ba2cb917e41c21484fb91c18537550a8da909ed8e54b6c07a4ef8d3152097df903d740742f93c668939e4795e79e2d3d64506fe56bef416fd2ba8c150

Download Submit
C:\Windows\SysWOW64\Gnepna32.exe

Filesize
1.3MB

MD5
0062e185c8780bb58a122c7e2a8f0ad6

SHA1
4120c1508d3c5010cea8f70dbce52cbba85ab408

SHA256
2fffe0c74e2786196e7aaedf4f4859733a9faade349f4c979bfe03cffc5bb442

SHA512
3b7df52cf9ba013c6200be8df7f5836fbf18e9171ba7c956d89010b6242289023fdfeee6d0d57adaa1053d51169928f2457d012ce7dea2a65586fdcc332e490f

Download Submit
C:\Windows\SysWOW64\Hbohpn32.exe

Filesize
1.3MB

MD5
ee11c5051579cc926b63bcea57719a31

SHA1
451c96f438a1d6385b7d52b9b8ba9adac62d29b2

SHA256
79e602b7e6a4e66e2b0e2238af5869318e2e69cfdb54853ee2473f13e948d19e

SHA512
534e00ad8f76a2425532e22f668cb82d9d2ebeb9947d2fe948478e2d4a05a4b36aa4dcacfd69cdbe2c670a171137e37a5c2ba466e7d9d4b194d9028090f8641f

Download Submit
C:\Windows\SysWOW64\Hfcnpn32.exe

Filesize
1.3MB

MD5
bd09b541bc94e07ddbe061e5075e9c96

SHA1
2690bd40b76b2f3f3079d34ec5c08f8a43db7f32

SHA256
9bd3344ae8b7bc67a4722c79d91b846c55968003ba143514c7a8b014f8d5aba7

SHA512
a5cb6a21e73df3411555e60ea96fa4d0d7eeb042f52c064217cb846fd7050b464c58f632c2db276e6669846a93cef042cb738943ce466ecd29734e89eb6e1cb7

Download Submit
C:\Windows\SysWOW64\Hfhgkmpj.exe

Filesize
1.3MB

MD5
3cec5c25c66895fdeb05663fbe40456e

SHA1
2e17a9e9f065df613b6aaa12e55cd72439f4bdc3

SHA256
a6e8155d7280a658a53db33faab40b3adb383c9b1b3e8755de1f025d21890ed2

SHA512
00903dcfb3f9041ebad95a57233cde1b40a58b11231b8b3fb1d813ab3b7fca3da06798ef799679d7340f4dba21824ed4f5045255fc92a5f1f3e39452d0fd5c24

Download Submit
C:\Windows\SysWOW64\Hidgai32.exe

Filesize
1.3MB

MD5
5e2e03f5f38f404588a7cea3a00bc911

SHA1
3d087f2ba69ea1ded20ccb15e5124a4e49719e64

SHA256
3cafbcac20213b9d9a7ca2e0b46e70a5261a1babb8d8ca5aadbf68d87319164c

SHA512
a2620596fe58649b8767ca1ff66a8218065ed5d57007ddaa63bb2d8adc729a6392ae829990f3306578085561f9e0315e6bdab18168f24e368a1d5566ed91718a

Download Submit
C:\Windows\SysWOW64\Hipmfjee.exe

Filesize
1.3MB

MD5
3c562e12d4bde91ea080c170a8dcd4ab

SHA1
410bbe7e6484539890ef63caee009f9dc3df5205

SHA256
3dd6a0d4ae0b75d1af7dfc5ef81b1470aad67b46afe43f7acaed633e05b6fc1a

SHA512
43609ab771853f8795c1d950d0e03e3fecc48178f053d939b955279bd2d3234c43b32f997f77fd2ba0f34faf536ee9458c0803c3de4751ae6d873cd88776e4e0

Download Submit
C:\Windows\SysWOW64\Ibaeen32.exe

Filesize
1.3MB

MD5
2a15d33ee97598261701c64a076f6db7

SHA1
4656c161f0c5fdab3a8b39b6d8fc4a94136463d5

SHA256
9bac77e621825548f34feb505f9d8f1b09957f8ff5cfacff2a39da36b5a197b3

SHA512
429600e70e95a9e4911dc91b22a5b79d55e9b14924e05d43f0810cb2cbcc44c205f58766db42e2f8452ef98811e79214217134f515133b37163d2034918a415a

Download Submit
C:\Windows\SysWOW64\Ieidhh32.exe

Filesize
1.3MB

MD5
dc877a4cb749573f29626be3430aa4bb

SHA1
1767eecc0112dd150d73eeb5bbcdf5b23dbf1d35

SHA256
9a1f99f155b7ca4e099821ad3d771f8ad302c5afa7d8261925c4997dac970cae

SHA512
d681f230feee4bfe273b7d317c3ac9dcc91478668c08b01d23c9544198a32e7690e0e6398708e22e65ceb46b57049f0d14313a91361904d16d96fc9cc5150b01

Download Submit
C:\Windows\SysWOW64\Illfdc32.exe

Filesize
1.3MB

MD5
d4f2e36ebd8699a60fe9e76d5f00657b

SHA1
a2d17d1db156bc8c1b61d3c5f67fc4ad8f5b2670

SHA256
b80a53c42784477ec73f833ea88c8d78a19d158dce42b8572d3afb104fd325f0

SHA512
6b6917d462752d02239c5003d2a6afd53a544564ae852de85327f9cc9d594bfe3850fb0856bdb37637d240933fe79af15a68c5c7fead54056bf36fc071f34a3c

Download Submit
C:\Windows\SysWOW64\Ipeeobbe.exe

Filesize
1.3MB

MD5
25f960f48dc84e9b340302130996600b

SHA1
3a521c20428538cceafc21f27fdb2675b3719136

SHA256
75ffbef29fc55cd0748529f258ff93a49a7f79e4ec3388fbf0529bda502ab64a

SHA512
b9073c50f62ccbdbf104676758c8bcd2e767479c0cbcf2b524d38c0b859df5aa9c4b76031c5f932a74a983a7c063d93d2be89b9fa6ce3cabbd38029e3bd4bb95

Download Submit
C:\Windows\SysWOW64\Ipjoja32.exe

Filesize
1.3MB

MD5
f51bf7b1ddd7754952863782c16b586b

SHA1
5ea48274073c123ca8f4b99aeafa63fdffcf7e6b

SHA256
50f7644153ea884a611adb7db4e70c291625b228d0faa326fafbbc22e027a270

SHA512
7c0c7901987d192e811edada7925b86bbe82f983c9b47f8abe0c813e003e0c31c6cc2ae4c164f3e3399817efa7242609cf28db54b77608e713044a37857c1f27

Download Submit
C:\Windows\SysWOW64\Jcoaglhk.exe

Filesize
1.3MB

MD5
1fa43aa96ed8478e3b13c823517caaa8

SHA1
ce7a88d707f06b059301ebe641415df9c3fb76bf

SHA256
7c75817b2f138993f9062c82d58c659bc3b3edef1c426817cbc5568a7fd9f03a

SHA512
ebe9eae6264d935488942ade32b5a5f49be08790986309b99ed4729a4f7c12a42bfba14a50be6126140239ae34abc3964bb897419d5e44a006900be70cd5932b

Download Submit
C:\Windows\SysWOW64\Jiglnf32.exe

Filesize
1.3MB

MD5
f125c8abf1c880e0365f2e4b79ec3e6c

SHA1
84fb5d57855c46f8d835dbc69eb18a5f10d3b8b5

SHA256
98987afe10e6a34b83b180ad6ae5d76f2254a0e23d83a7f0bc70374780556762

SHA512
07a2ac20b4c14320fac78db382c29c3fde89c749d222d0f067052be1bc93a28d97695bf1b241a1a6516c1fba9110477e2e16dc17e8af5e96e1753d54dee2cff3

Download Submit
C:\Windows\SysWOW64\Jilfifme.exe

Filesize
1.3MB

MD5
cfe496ccba77cbf2b60d398fa06c70a5

SHA1
7053e4257d2c6d314c8b67db17f02fcd9d8243e5

SHA256
0cc6ba941663b5ecabbc44ae8d028288a92d5857e0814dd654af3b4250658bf9

SHA512
8246c149244016f044b3a84ed109a2748842966a999cd0210469a1233b4d766efc5dc70e4cf2a317a3482b9686aedf9d0636efcbf180093a5767acc9d1bc69b6

Download Submit
C:\Windows\SysWOW64\Jpcapp32.exe

Filesize
1.3MB

MD5
cfafeaafb673f4db48cb2d8b42402bae

SHA1
7e98a25e85f550ecf32960e0882074d5d85ba4a3

SHA256
09dd964ec2a23980524419a891aecec97dcfefc8a0ca8cb0924ce91b163f8cf9

SHA512
b3e7cd7e48e29c2552e7ef973e5c29014fd71bf1986d583aac9b4971e48e887af8cf92af7cfb8be8a8868f981fa3841c6475b0645e5a36f66c89ea8e035cf6cf

Download Submit
memory/116-356-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/232-18-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/232-399-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/236-260-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/412-300-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/560-119-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/576-212-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/764-244-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/812-280-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/852-380-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/888-276-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1004-155-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1012-272-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1020-191-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1064-95-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1116-376-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1124-332-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1144-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1160-324-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1204-240-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1252-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1428-420-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1500-414-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1500-35-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1524-200-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1584-143-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1588-336-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1636-161-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1648-372-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1672-410-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1712-232-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1740-216-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1804-360-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1808-179-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1884-328-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1912-83-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1936-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1936-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1940-125-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1972-77-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2024-71-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2040-296-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2080-185-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2100-256-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2236-167-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2332-304-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2504-236-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2512-149-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2584-284-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2608-340-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2716-368-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2836-131-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2884-288-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2912-65-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2944-12-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2944-394-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2960-385-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3032-344-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3168-204-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3196-228-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3208-5-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3208-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3216-208-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3344-113-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3360-316-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3580-264-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3604-47-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3720-352-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3760-364-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3792-292-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3980-101-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4024-400-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4064-312-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4068-60-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4080-384-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4080-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4136-173-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4176-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4240-252-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4320-390-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4384-415-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4444-137-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4456-107-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4516-23-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4516-404-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4752-29-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4752-409-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4756-89-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4772-308-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4808-348-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4836-54-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4964-220-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4984-268-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4988-196-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5028-320-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5048-405-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5380-943-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5844-858-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6276-827-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads